mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
4f31106ac4
* Mark non-secret leaking module options with no_log=False (#2001)
* Mark non-secret leaking module options with no_log=False.
* Add changelog fragment.
(cherry picked from commit 1ea080762b
)
* Add one more.
Co-authored-by: Felix Fontein <felix@fontein.de>
278 lines
8.7 KiB
Python
278 lines
8.7 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# Copyright: (c) 2019, Evgeniy Krysanov <evgeniy.krysanov@gmail.com>
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
__metaclass__ = type
|
|
|
|
DOCUMENTATION = r'''
|
|
---
|
|
module: bitbucket_access_key
|
|
short_description: Manages Bitbucket repository access keys
|
|
description:
|
|
- Manages Bitbucket repository access keys (also called deploy keys).
|
|
author:
|
|
- Evgeniy Krysanov (@catcombo)
|
|
options:
|
|
client_id:
|
|
description:
|
|
- The OAuth consumer key.
|
|
- If not set the environment variable C(BITBUCKET_CLIENT_ID) will be used.
|
|
type: str
|
|
client_secret:
|
|
description:
|
|
- The OAuth consumer secret.
|
|
- If not set the environment variable C(BITBUCKET_CLIENT_SECRET) will be used.
|
|
type: str
|
|
repository:
|
|
description:
|
|
- The repository name.
|
|
type: str
|
|
required: true
|
|
username:
|
|
description:
|
|
- The repository owner.
|
|
type: str
|
|
required: true
|
|
key:
|
|
description:
|
|
- The SSH public key.
|
|
type: str
|
|
label:
|
|
description:
|
|
- The key label.
|
|
type: str
|
|
required: true
|
|
state:
|
|
description:
|
|
- Indicates desired state of the access key.
|
|
type: str
|
|
required: true
|
|
choices: [ absent, present ]
|
|
notes:
|
|
- Bitbucket OAuth consumer key and secret can be obtained from Bitbucket profile -> Settings -> Access Management -> OAuth.
|
|
- Bitbucket OAuth consumer should have permissions to read and administrate account repositories.
|
|
- Check mode is supported.
|
|
'''
|
|
|
|
EXAMPLES = r'''
|
|
- name: Create access key
|
|
community.general.bitbucket_access_key:
|
|
repository: 'bitbucket-repo'
|
|
username: bitbucket_username
|
|
key: '{{lookup("file", "bitbucket.pub") }}'
|
|
label: 'Bitbucket'
|
|
state: present
|
|
|
|
- name: Delete access key
|
|
community.general.bitbucket_access_key:
|
|
repository: bitbucket-repo
|
|
username: bitbucket_username
|
|
label: Bitbucket
|
|
state: absent
|
|
'''
|
|
|
|
RETURN = r''' # '''
|
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
from ansible_collections.community.general.plugins.module_utils.source_control.bitbucket import BitbucketHelper
|
|
|
|
error_messages = {
|
|
'required_key': '`key` is required when the `state` is `present`',
|
|
'required_permission': 'OAuth consumer `client_id` should have permissions to read and administrate the repository',
|
|
'invalid_username_or_repo': 'Invalid `repository` or `username`',
|
|
'invalid_key': 'Invalid SSH key or key is already in use',
|
|
}
|
|
|
|
BITBUCKET_API_ENDPOINTS = {
|
|
'deploy-key-list': '%s/2.0/repositories/{username}/{repo_slug}/deploy-keys/' % BitbucketHelper.BITBUCKET_API_URL,
|
|
'deploy-key-detail': '%s/2.0/repositories/{username}/{repo_slug}/deploy-keys/{key_id}' % BitbucketHelper.BITBUCKET_API_URL,
|
|
}
|
|
|
|
|
|
def get_existing_deploy_key(module, bitbucket):
|
|
"""
|
|
Search for an existing deploy key on Bitbucket
|
|
with the label specified in module param `label`
|
|
|
|
:param module: instance of the :class:`AnsibleModule`
|
|
:param bitbucket: instance of the :class:`BitbucketHelper`
|
|
:return: existing deploy key or None if not found
|
|
:rtype: dict or None
|
|
|
|
Return example::
|
|
|
|
{
|
|
"id": 123,
|
|
"label": "mykey",
|
|
"created_on": "2019-03-23T10:15:21.517377+00:00",
|
|
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADA...AdkTg7HGqL3rlaDrEcWfL7Lu6TnhBdq5",
|
|
"type": "deploy_key",
|
|
"comment": "",
|
|
"last_used": None,
|
|
"repository": {
|
|
"links": {
|
|
"self": {
|
|
"href": "https://api.bitbucket.org/2.0/repositories/mleu/test"
|
|
},
|
|
"html": {
|
|
"href": "https://bitbucket.org/mleu/test"
|
|
},
|
|
"avatar": {
|
|
"href": "..."
|
|
}
|
|
},
|
|
"type": "repository",
|
|
"name": "test",
|
|
"full_name": "mleu/test",
|
|
"uuid": "{85d08b4e-571d-44e9-a507-fa476535aa98}"
|
|
},
|
|
"links": {
|
|
"self": {
|
|
"href": "https://api.bitbucket.org/2.0/repositories/mleu/test/deploy-keys/123"
|
|
}
|
|
},
|
|
}
|
|
"""
|
|
content = {
|
|
'next': BITBUCKET_API_ENDPOINTS['deploy-key-list'].format(
|
|
username=module.params['username'],
|
|
repo_slug=module.params['repository'],
|
|
)
|
|
}
|
|
|
|
# Look through the all response pages in search of deploy key we need
|
|
while 'next' in content:
|
|
info, content = bitbucket.request(
|
|
api_url=content['next'],
|
|
method='GET',
|
|
)
|
|
|
|
if info['status'] == 404:
|
|
module.fail_json(msg=error_messages['invalid_username_or_repo'])
|
|
|
|
if info['status'] == 403:
|
|
module.fail_json(msg=error_messages['required_permission'])
|
|
|
|
if info['status'] != 200:
|
|
module.fail_json(msg='Failed to retrieve the list of deploy keys: {0}'.format(info))
|
|
|
|
res = next(iter(filter(lambda v: v['label'] == module.params['label'], content['values'])), None)
|
|
|
|
if res is not None:
|
|
return res
|
|
|
|
return None
|
|
|
|
|
|
def create_deploy_key(module, bitbucket):
|
|
info, content = bitbucket.request(
|
|
api_url=BITBUCKET_API_ENDPOINTS['deploy-key-list'].format(
|
|
username=module.params['username'],
|
|
repo_slug=module.params['repository'],
|
|
),
|
|
method='POST',
|
|
data={
|
|
'key': module.params['key'],
|
|
'label': module.params['label'],
|
|
},
|
|
)
|
|
|
|
if info['status'] == 404:
|
|
module.fail_json(msg=error_messages['invalid_username_or_repo'])
|
|
|
|
if info['status'] == 403:
|
|
module.fail_json(msg=error_messages['required_permission'])
|
|
|
|
if info['status'] == 400:
|
|
module.fail_json(msg=error_messages['invalid_key'])
|
|
|
|
if info['status'] != 200:
|
|
module.fail_json(msg='Failed to create deploy key `{label}`: {info}'.format(
|
|
label=module.params['label'],
|
|
info=info,
|
|
))
|
|
|
|
|
|
def delete_deploy_key(module, bitbucket, key_id):
|
|
info, content = bitbucket.request(
|
|
api_url=BITBUCKET_API_ENDPOINTS['deploy-key-detail'].format(
|
|
username=module.params['username'],
|
|
repo_slug=module.params['repository'],
|
|
key_id=key_id,
|
|
),
|
|
method='DELETE',
|
|
)
|
|
|
|
if info['status'] == 404:
|
|
module.fail_json(msg=error_messages['invalid_username_or_repo'])
|
|
|
|
if info['status'] == 403:
|
|
module.fail_json(msg=error_messages['required_permission'])
|
|
|
|
if info['status'] != 204:
|
|
module.fail_json(msg='Failed to delete deploy key `{label}`: {info}'.format(
|
|
label=module.params['label'],
|
|
info=info,
|
|
))
|
|
|
|
|
|
def main():
|
|
argument_spec = BitbucketHelper.bitbucket_argument_spec()
|
|
argument_spec.update(
|
|
repository=dict(type='str', required=True),
|
|
username=dict(type='str', required=True),
|
|
key=dict(type='str', no_log=False),
|
|
label=dict(type='str', required=True),
|
|
state=dict(type='str', choices=['present', 'absent'], required=True),
|
|
)
|
|
module = AnsibleModule(
|
|
argument_spec=argument_spec,
|
|
supports_check_mode=True,
|
|
)
|
|
|
|
bitbucket = BitbucketHelper(module)
|
|
|
|
key = module.params['key']
|
|
state = module.params['state']
|
|
|
|
# Check parameters
|
|
if (key is None) and (state == 'present'):
|
|
module.fail_json(msg=error_messages['required_key'])
|
|
|
|
# Retrieve access token for authorized API requests
|
|
bitbucket.fetch_access_token()
|
|
|
|
# Retrieve existing deploy key (if any)
|
|
existing_deploy_key = get_existing_deploy_key(module, bitbucket)
|
|
changed = False
|
|
|
|
# Create new deploy key in case it doesn't exists
|
|
if not existing_deploy_key and (state == 'present'):
|
|
if not module.check_mode:
|
|
create_deploy_key(module, bitbucket)
|
|
changed = True
|
|
|
|
# Update deploy key if the old value does not match the new one
|
|
elif existing_deploy_key and (state == 'present'):
|
|
if not key.startswith(existing_deploy_key.get('key')):
|
|
if not module.check_mode:
|
|
# Bitbucket doesn't support update key for the same label,
|
|
# so we need to delete the old one first
|
|
delete_deploy_key(module, bitbucket, existing_deploy_key['id'])
|
|
create_deploy_key(module, bitbucket)
|
|
changed = True
|
|
|
|
# Delete deploy key
|
|
elif existing_deploy_key and (state == 'absent'):
|
|
if not module.check_mode:
|
|
delete_deploy_key(module, bitbucket, existing_deploy_key['id'])
|
|
changed = True
|
|
|
|
module.exit_json(changed=changed)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|